The passage of the health care reform bill in the US Congress has freed up time to debate other pending legislation, including several bills around cybersecurity.  Notably, last week, at a Commerce, Science & Transportation Committee hearing , US senators approved Cybersecurity Act S 773.  With committee passage, this bill can now proceed towards broader debate and a senate vote.   This bill also joins several other cybersecurity bills under debate in the US House of Representatives.

I won't go into all the details in the legislation (you can see it here), but one provision that was removed during the committee hearing this week was a provision that would have given the President of the United States the ability to stop all Internet traffic in the event of a major cyber attack or emergency.  Although this provision was removed, I have been thinking about it and pondering several questions. 

How would such an order be implemented? 

The Internet so widely distributed, how would authorities actually go about shutting down service providers?  And given that the order would occur during a cyber emergency when such communication vehicles (cellular and wired networks) may not be functioning, how would service providers actually receive the notice?

Can the Internet really be shut down?

Given that the original Internet was designed to withstand a nuclear attack, is it even possible or feasible to shut down the Internet?  Service providers re-route traffic all the time for bandwidth optimization reasons, so determining how this would work could be a major challenge.  This provision also makes me wonder how well this provision was understood and debated in the Senate Committee.

Should any individual have the ability to shut down the Internet?

If we accept that some mechanism could shut down the Internet, the person(s) possessing the ability to issue such an order would yield tremendous power.   Besides raising questions around how such an order would be issued and authenticated , it also opens a new target for hackers-how to impersonate senior US leadership and use that to issue erroneous orders to shut down the Internet. 

My scenario may not seem so far-fetched, given recent news about President Obama's Twitter account being hacked.  It also reminds me of the proposed idea to implement remote controls in airplanes so that law enforcement people could override the controls of terrorists/hijackers in this air.  Sounds great, until you realize that now all people need to do is compromise the remote control system and they can hijack planes without ever having to board them!  

This proposal opened up some very interesting technical questions, but I think my musings also prove that cutting this proposal was a wise decision.   I applaud the passage of S.773 and look forward to seeing it progress through both houses in the coming months.